Digital identity sharing

ABSTRACT

A method for sharing digital identity data, the method comprising, using an identity network, receiving a sign-up request for a user from a relying party, providing, for display to a user interface of a user device, a list of identity providers, in response to receiving a selection of the identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider, receiving, from the selected identity provider, a plurality of identity attributes associated with the user, providing, for display to the user interface, the plurality of identity attributes associated with the user, receiving consent from the user to share the plurality of identity attributes associated with the user with the relying party, and redirecting the user interface to a page associated with the relying party.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims benefit to U.S. Provisional Application No. 63/293,458 by Brindley et al., entitled “DIGITAL IDENTITY SHARING,” filed Dec. 23, 2021, the disclosure of which is incorporated by reference herein in its entirety. This application is a continuation-in-part of U.S. patent application Ser. No. 16/908,443 by Slowiak et al., entitled “DIGITAL IDENTITY SIGN-UP,” filed Jun. 22, 2020, which claims the benefit of priority to: U.S. Patent Application No. 62/864,891 by Woodward et al., entitled “DIGITAL IDENTITY,” filed Jun. 21, 2019; U.S. Patent Application No. 62/864,900 by Woodward et al., entitled “DIGITAL IDENTITY SIGN-UP,” filed Jun. 21, 2019; U.S. Patent Application No. 62/864,906 by Woodward et al., entitled “DIGITAL IDENTITY SIGN-IN,” filed Jun. 21, 2019; U.S. Application No. 62/864,911 by Woodward et al., entitled “DIGITAL IDENTITY STEP-UP,” filed Jun. 21, 2109; and U.S. Patent Application No. 62/864,889 by Woodward et al., entitled “DIGITAL IDENTITY LOCK,” filed Jun. 21, 2019, each of which is incorporated by reference herein in its entirety.

BACKGROUND

Most companies have an online presence today and each has information about each of its users and customers. However, authentication of a user is largely handled piecemeal by each company with little verification of the user by a trusted source. The current way that users are onboarded and authenticated lacks security, consistency, and ease of use for both the companies and the users. Additionally, current methods to perform identity verification online have considerable drawbacks in coverage, validity, and usability.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example system for providing an authenticated, universal digital identity for a user, according to an embodiment.

FIG. 2 illustrates an example data information flow using an authenticated, universal digital identity for a user, according to an embodiment.

FIG. 3 illustrates an example method for sharing identity attributes according to an embodiment.

FIGS. 4A-4E illustrate screenshots of a user interface for a user device during an identity attribute sharing process according to an embodiment.

FIG. 5 illustrates an example method for authenticating a user using identity attributes according to an embodiment.

FIGS. 6A-6G illustrate screenshots of a user interface for a user device during an identity attribute authentication process according to an embodiment.

FIG. 7 illustrates an example computer system.

SUMMARY

Embodiments of the present technology are directed to systems and methods for using identity attributes supplied by a user's trusted identity provider to sign up for and/or log into a website and/or mobile application of a relying party. Embodiments leverage the relationship between the user and the trusted identity provider (such as a bank or other financial institution), as well as banking regulations, to provide secure techniques for a relying party to authenticate an identity of a digital user.

One aspect of the disclosure provides for a method for sharing digital identity data, the method comprising, using an identity network, receiving a sign-up request for a user from a relying party, providing, for display to a user interface of a user device, a list of identity providers, in response to receiving a selection of the identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider, receiving, from the selected identity provider, a plurality of identity attributes associated with the user, providing, for display to the user interface, the plurality of identity attributes associated with the user, receiving consent from the user to share the plurality of identity attributes associated with the user with the relying party, and redirecting the user interface to a page associated with the relying party. The method further comprising providing the relying party access to the plurality of identity attributes. Providing the relying party access to the plurality of identity attributes may comprise encrypting the plurality of identity attributes and transmitting the plurality of identity attributes to the relying party. Providing the relying party access to the plurality of identity attributes may comprise providing the relying party with a token that is useable by the relying party to access the plurality of identity attributes. The plurality of identity attributes may comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user. The method may further comprise receiving a confirmation of authentication of the user, and wherein providing, for display to the user interface, the plurality of identity attributes may include providing the plurality of identity attributes in response to receiving the confirmation of authentication. The method may further comprise receiving from the relying party a first plurality of identity attributes associated with a user, and comparing the first plurality of identity attributes with the plurality of identity attributes provided by the selected identity provider to determine whether the identity attributes match.

Another aspect of the disclosure provides for a method of authenticating a user with shared digital identity data, comprising, using an identity network, receiving from a relying party a first plurality of identity attributes associated with a user, providing, for display to a user interface of a user device, a list of identity providers, in response to receiving a selection of an identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider, receiving from the selected identity provider a second plurality of identity attributes associated with the user, comparing the first and second plurality of identity attributes to determine whether the identity attributes match, and redirecting the user interface to a page associated with the relying party based on the comparison between the first and second plurality of identity attributes. The first and second plurality of identity attributes are similar, and redirecting the user interface may include redirecting the user interface to a page notifying the user that the user is verified. The first and second plurality of identity attributes do not match, and redirecting the user interface may include redirecting the user interface to a login page of the relying party. The method may further comprise providing the relying party access to the second plurality of identity attributes. Providing the relying party access to the second plurality of identity attributes may comprise encrypting the second plurality of identity attributes and transmitting the encrypted second plurality of identity attributes to the relying party. Providing the relying party access to the second plurality of identity attributes may comprise providing the relying party with a token that is useable by the relying party to access the second plurality of identity attributes. The first and second plurality of identity attributes may comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user. The method may further comprise receiving consent from the user to share the second plurality of identity attributes associated with the user with the relying party. The method may further comprise receiving a confirmation of authentication of the user, wherein providing, for display to the user interface, the plurality of identity attributes may include providing the plurality of identity attributes in response to receiving the confirmation of authentication.

Another aspect of the disclosure provides a non-transitory computing-device readable storage medium on which computing-device readable instructions of a program are stored, the instructions, when executed by one or more computing devices, causing the one or more computing devices to perform a method, comprising, receiving a sign-up request for a user from a relying party, providing, for display to a user interface of a user device, a list of identity providers, in response to receiving a selection of the identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider, receiving, from the selected identity provider, a plurality of identity attributes associated with the user, providing, for display to the user interface, the plurality of identity attributes associated with the user, receiving consent from the user to share the plurality of identity attributes associated with the user with the relying party, and redirecting the user interface to a page associated with the relying party. The plurality of identity attributes may comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user. The method may further comprise receiving a confirmation of authentication of the user, and wherein providing, for display to the user interface, the plurality of identity attributes may include providing the plurality of identity attributes in response to receiving the confirmation of authentication. The plurality of identity attributes may be a first plurality of identity attributes, and the method may further comprise comparing the first plurality of identity attributes with a second plurality of identity attributes provided by the selected identity provider to determine whether the identity attributes match.

DETAILED DESCRIPTION

The explosion of online user activity and data over the past decades have resulted in a disparate system in which most online companies have developed their own systems for users to sign-up, sign in, and utilize their services. Authentication of users is often difficult to ensure that online identity theft and other sinister activities are avoided. Further, the process for creation of new accounts and tracking of countless passwords for users is tedious.

To solve the problem of invalid authentication and password security for users, described herein is a system for utilizing identity attributes of a user known to a trusted identity provider (such as a bank or other financial institution) that a user may use to create new accounts and log into existing accounts with relying parties of the system. The identity network allows a user to sign up with a relying party using identity attributes from an identity provider and solves the technical problem faced by many online companies related to authentication of digital users. For example, online companies may require that a user provide information to create an account. However, the company has no way to verify or authenticate the new user. Companies cannot be sure that existing users are verified other than through their own password systems, which suffer from password theft issues and invalid initial sign up. Accordingly, the technical solution described herein provides a consistent and technical way for the company to authenticate the user using a universal online digital identity.

Users often have a trusted relationship with their banks, and banks are regulated so certain precautions are taken by banks to ensure the user is a legitimate and authenticated user. Banks and other providers that have regulated processes for identifying users may be used to authenticate users with a digital identity authentication and provide information on the users for relying parties by becoming an identity provider in the disclosed identity network. Relying parties, such as insurance companies, retailers, and so forth can enroll with the identity network to gain the benefit of the regulated user identification procedures of the identity provider authenticating the digital identity of users and customers and providing verified identity attributes upon account sign-up for a new customer. The identity network can broker authentication and information exchange using cryptographic technology and other verifiable methods between the relying party and the identity provider. Additional technological value can be provided by the identity network by overseeing and identifying suspicious activity overall for a device or user, obtaining information from various third parties for the relying party to further validate the user, and so forth.

FIG. 1 illustrates an example digital identity system 100 for utilizing identity attributes of a user known to a trusted identity provider to sign up for and/or log into accounts with relying parties. System 100 includes an identity network 105, a relying party 110, a user device 115, and an identity provider 120. Components or functionality described may be combined into fewer components or expanded into more components without departing from the scope of the present application.

The identity network 105 may include a network of one or more computers, such as computing device 600 shown in FIG. 6 , as described below. The identity network 105 may include a website 150. The identity network 105 may include other components or functionality than discussed, or may include components combined into fewer or more components without departing from the scope of the present application. The identity network 105 provides the functionality to broker the authentication and information exchange between the relying party 110 and the identity provider 120, as discussed in more detail herein.

The website 150 may be an internet interface provided by the identity network 105 that the relying party 110 may use to redirect the end user, for example, to select their identity provider 120 when a request is initiated. The website 150 may redirect the user to their identity provider 120 website or mobile application via a matrix barcode (e.g., a QR code), an application link, a website link, or via a short message service (SMS) or mobile push notification. In some embodiments, the relying party 110 may include a software development kit from the identity network 105 that is used to redirect the user to the website 150 to select the user's identity provider 120 when a request is initiated.

The relying party 110 may include one or more computing devices of any company or entity that would like to be able to authenticate the digital identity of a user. Examples of relying parties 110 include insurance companies, retailers, travel companies (e.g., airlines, hotels, cruise lines), utility companies, and the like. While only a single relying party 110 is depicted in FIG. 1 for the sake of simplicity of explanation, any number of relying parties 110 may be included in system 100.

The user device 115 may be any suitable computing device, such as computing device 600, as depicted and described with respect to FIG. 6 , of a user. For example, the user device 115 may be a laptop, smartphone, desktop computer, tablet, smartwatch, and the like. While only a single user device 115 is depicted in FIG. 1 for the sake of simplicity of explanation, any number of user devices 115 may be included in system 100.

The identity provider 120 may include one or more computing devices of any suitable company that can authenticate a user (having user device 115) for the relying party 110. The identity provider 120 may include, for example, banks and/or other financial institutions. The identity provider 120 may have detailed information regarding the identity of the user and may have previously verified the identity of the user of user device 115 because, for example, financial institutions are regulated by the government with respect to identifying customers with specificity. In this manner, the identity providers 120 may be relied upon to have accurately verified the identity of the user of user device 115. While only a single identity provider 120 is depicted in FIG. 1 for the sake of simplicity of explanation, any number of identity providers 120 may be included in system 100.

In use, a user may access a relying party 110 website 150 using the user device 115 to sign up with the relying party 110. For example, the user may wish to initiate a new relationship with the relying party 110 to, for example, become a customer of the relying party 110. The relying party 110 may request digital identity authentication and information for the user of the user device 115 from the identity network 105 via website 150. In some embodiments, the user device 115 may access a mobile application and/or website 150 of the relying party 110. The mobile application may access website 150 with an identity assertion to the relying party 110 to access an access-controlled portion of the website 150. The identity assertion may be a request to authenticate the digital identity of the user and, in some cases, request additional information about the user.

In response, the relying party 110 may direct the user device 115 to a page of the identity network 105 on the website 150. On that page, the identity network 105 may provide one or more identity providers 120 for the user to select for authenticating the user's digital identity. For example, the identity network 105 may provide a list including many identity providers 120, and the user may select an identity provider with which the user has a relationship with. For example, if the user is a customer of BankA, and BankA is provided by the website as an identity provider in a list of identity providers, the user may select BankA as the identity provider for authenticating that user's digital identity. If the user has a relationship with multiple identity providers 120, the user may select any one of the identity providers 120 with which the user has a relationship.

Once the user selects an identity provider 120, the identity network 105 may direct the user to a page of the selected identity provider 120 (e.g., a login page). On the page of the identity provider 120, the user may be presented with a login page associated with the selected identity provider 120. The user may enter login credentials to be authenticated at the selected identity provider 120. The selected identity provider 120 may verify the login credentials entered by the user to authenticate the user using various authentication techniques. For example, the identity provider 120 may offer single and/or multi-factor authentication methods in some embodiments to verify the login credentials entered by the user (e.g., by comparing the entered login credentials against a stored list of login credentials associated with the user and/or providing a verification code to a trusted device of the user for the user to confirm with the identity provider 120). Based on these authentication techniques, the identity provider 120 may indicate that the identity of the user has been authenticated. If the identity provider 120 fails to authenticate the identity of the user, the identity provider 120 may notify the identity network 105 that the user's identification has not been verified. Alternatively or additionally, the identity provider 120 may simply not let the user progress further with the authentication process, as described below.

Upon successful authentication of the user, the selected identity provider 120 may provide a number of identity attributes of the user to the identity network 105. The identity attributes may include, for example, the user's name, address, phone number, email address, gender, birthdate, peer-to-peer payment network token, and/or other identifying information. The identity attributes may be presented to the user by the identity network 105 on a confirmation page of the identity network 105. The confirmation page of the identity network 105 may be hosted on the website 150 or may be hosted on a page of the selected identity provider 120 (e.g., the confirmation page 300C, as shown in FIG. 3C). The user may review the identity attributes and may submit a consent approval to the identity network 105 to share the identity attributes with the relying party 110. However, in other embodiments, the identity attributes may be shared directly by the identity provider 120 with the relying party 11. In some embodiments, only those particular identity attributes requested by the relying party 110 may be provided by the identity network 105. In other embodiments, the user may consent to only share a select portion of the identity attributes with the relying party 110. Upon receiving the consent approval, the identity network 105 may redirect the user back to the relying party's website 150.

Once the user's identity attribute(s) have been provided to the relying party 110 by the identity network 105, the relying party 110 may utilize the shared identity attributes to authenticate the user's identity in the future. For example, the website 150 of the relying party 110 may present the user with a number of data fields in which to enter the user's identity attributes. The user may enter identity attributes in those data fields. The relying party 110 may store those provided identity attributes for use at a later step in the authentication process. Once the user has provided the identity attributes in the data fields, the user may be provided with a list of identity providers 120 (which may be the same or different from the list of identity providers 120 previously provided to the user). The user may select an identity provider 120 with which the user has already provided consent to share identity attributes, such as BankA. Once the user selects an identity provider 120, the user may be presented with a login page associated with the selected identity provider 120. The user may enter login credentials to be authenticated at the selected identity provider 120, which the selected identity provider 120 may verify, as discussed above.

Upon successful authentication of the user, the selected identity provider 120 may provide a number of identity attributes to the identity network 105 for presentation to the user on a confirmation page of the website 150 for the identity network 105. The user may review the identity attributes and consent to the identity network 105 sharing the identity attributes with the relying party 110. These identity attributes may then be shared with the relying party 110. The relying party 110 may then compare the set of identity attributes directly supplied by the user on the website 150 with those supplied by the identity provider 120 via the identity network 105 to determine whether the sets of identity attributes match.

Each identity attribute may include a substance and a format. For example, the identity attribute of a date (e.g., a birth date) is substantively a date. However, there may be different date formats use in each set of identity attributes (e.g., month/day/year, day/month/year, or the like). The sets of identity attributes may be considered matching where the substance of each identity attribute matches even where the format is different. For example, where one set of identity attributes including a birthdate of “12/7/1985” is compared to another set of identity attributes including a birthdate of “Dec. 7, 1985,” the relying party 110 may still determine these birthdates to match as the substance of each identity attribute matches, even if they are dissimilar in format. As such, the relying party 110 may determine that the sets of identity attributes match where each set has a same substance even if they include dissimilar formats. In some embodiments, the relying party 110 may automatically convert each identity attribute to a similar format (e.g., both identity attributes would be converted to a format involve just numerals, such as 1271985) when comparing the identity attributes to ensure that the substance of each However, in alternative embodiments, the relying party 110 may determine that the sets of identity attributes match only when both the substance and format are different. In some embodiments, only those identity attributes requested by the relying party 110 may be provided by the identity network 105.

The identity network 105 may redirect the user back to the relying party's website 150 to see the results of the comparison. If the relying party 110 determines that the identity attributes match, the relying party 110 may provide access to the user device 115 to access an access-controlled portion of the relying party's website 150. If the relying party 110 determines that the identity attributes do not match, the relying party 110 may provide a notification to the user device 115 that the user is not allowed access to the access-controlled portion of the relying party's website 150. Alternatively, if the relying party 110 determines that the identity attributes do not match, the relying party 110 may provide an indication to the user device 115 which of the data fields include identity attributes that do not match the identity attributes provided by the identity network 105 (e.g., the data fields may be highlighted or point at by an arrow, or the like). This may allow the user to change the indicated data fields to a different identity attribute that may match the first set of identity attributes. After this change, the relying party 110 may compare the sets of identity attributes again and, if the relying party 110 determine those sets match, the relying party 110 may provide the user device 115 with access to the access-controlled portion of the website 150. However, in other embodiments, the identity network 105 may compare the identity attributes to determine whether they match.

The identity attributes may be placed into data bundles for relying parties 110 to request. The data bundles may be requested from identity providers 120 as scope bundles and/or individual claims.

FIG. 2 illustrates an example data flow 200 of data through a digital identity system. The data flow 200 includes the relying party application 205, the identity network 105, the identity provider application 215, and the identity provider server 235. The identity provider application 215 and the identity provider server 235 collectively are included in the identity provider 120 as described with respect to FIG. 1 . Starting with the relying party application 205, associated with the relying party 110, the user may decide to sign-up for access to the relying party using the user's digital identity. In response, the relying party 110 may send a request to the identity network 105 to authenticate the user's identity. In some embodiments, the identity network 105 may provide a list of identity providers for the user to select from.

Once the identity provider 120 is selected, the identity network 105 may generate a token to associate the selected identity provider 120 with the user. This token may be stored in the identity network 105 to be used in the future by to expedite the authentication process. In particular, future requests to authenticate the user may include identifying the token associated with the user for the selected identity provider. Once the token is identified, the identity network 105 may look up the identity provider 120 associated with the token and launch the identity provider application 215 to the user, as discussed further below, without requiring the user to select form the list of identity providers 120. In some embodiments, the identity provider 120 may provide the token upon first request by the identity network 105 to authenticate the user with the identity provider 120.

The identity network 105 may generate a session ID and may provide the session ID to the relying party application 205. The session identifier may be used throughout the process to track the activity associated with the initial request from the relying party application 205 for the specific user.

Once the identity provider 120 is selected (or where the identity network 105 identifies a previously selected identity provider 120 associated with a token that is associated with the user), the identity provider application 215 corresponding to the selected identity provider 120 may be provided to the user. In some embodiments, where the user selects the identity provider 120, selecting the identity provider 120 may include selecting an application link (such as a deep link) associated with the identity provider application 215 to launch the identity provider application 215. The application link may include the session identifier generated by the identity network 105.

In the identity provider application 215, the user logs into their account and is subsequently authenticated with authentication module 220. For example, the identity provider 120 may verify the user through the authentication module 220 using the verification methods discussed above (e.g., single and/or multi-factor authentication methods). Upon successful authentication of the user, the identity provider 120 may provide a number of identity attributes associated with the user to the identity network 105. The identity network 105 may then provide the identity attributes to the identity provider application 215, which may display the identity attributes on a user interface of the user device 115. The user may review the identity attributes and may submit a consent approval on the identity provider application 215 (e.g., responding to a prompt displayed on the identity provider application 215 requesting consent) to provide consent to share the identity attributes with the relying party 110 or may decline such consent. If consent is declined, the process flow halts and nothing further happens, and/or a failure message is sent to the relying party application 205 indicating that the identity provider 120 will not be sharing the identity attributes of the user. When the user provides consent, the identity provider application 215 may provide the consent to the identity network 105.

The identity network 105, upon receiving the consent, may redirect the user device 115 from the identity provider application 215 to a page associated with the relying party application 205. The identity network 105 may also share the identity attributes with the relying party 110. In some embodiments, the identity network 105 may provide the relying party 110 a token that may be used by the relying party 110 to access the identity attributes directly from the identity network 105 (or another database), rather than transmitting the identity attributes to the relying party 110. In some embodiments, the relying party 110 may use this information in a sharing context in which the relying party 110 may utilize and/or store the identity attributes in a newly opened account for the user. For example, the relying party application 205 may use the identity attributes and/or other information to populate the user's information into the relying party application 205 registration form. In some embodiments, the relying party 110 may use the identity attributes in a matching context in which the relying party 110 may compare the identity attributes provided by the identity network 105 and identity provider 120 with identity attributes provided to the relying party 110 by the user to determine whether the identity attributes provided by the user match those provided by the identity network 105. If the relying party 110 determines that the identity attributes match, the relying party 110 may authenticate and verify the identity of the user. If the relying party 110 determines that the identity attributes do not match, the relying party 110 may halt the authentication process and, in some embodiments, notify at least one of the identification network 105 and/or user device 115 that the identity attributes do not match.

In some embodiments, the identity provider 120 and/or identity network 105 may encrypt the identity attributes and any other personal information. For example, the identity network 105 may transmit an encryption key with the session identifier to the relying party application 205 so that the relying party 110 has the key for decrypting the information. While a specific cryptographic key is described, other forms of cryptography and transmission of the cryptographic keys may be used without departing from the scope of the present application including symmetric cryptography, asymmetric cryptography, or any other suitable cryptography that maintains the security of the user's information between the parties.

FIG. 3 illustrates a method 300 for sharing identity attributes in account creation. Method 300 may be performed by, for example, the identity network 105. Some portions of the method 300 may be performed by software development kits (“SDKs”) provided by the identity network 105 to the identity providers 120 and the relying parties 110. Method 300 may begin with step 305 when the identity network 105 receives a sign-up request for a user from a relying party 110. For example, the relying party 110 may have specific information requested to fill out a registration application by the user. The user may select an option to use the identity network 105 digital identity to fill out some or all of the application. In doing so, the sign-up request from the relying party 110 may include a request for some or all of the user's information needed by the relying party 110 to fill out the application (e.g., identity attributes). The identity attributes may include any information about the user including, for example, the user's first and last name, address, telephone number, email address, gender, birthdate, peer-to-peer payment account token, driver's license number, social security number, and/or other personal identification information.

At step 310, the SDK in the relying party 110 application provides a list of identity providers 120 to the user via the user interface for the user to select. The list of identity providers 120 may include some or all identity providers 120 that are enrolled in an identity attribute sharing system, including, for example, enrolled banks and other financial institutions. The user may select an identity provider 120 with which the user has a relationship. For example, the user may select a bank or other financial institution that the user has an account with.

At step 315, the relying party 110 application may launch, in response to receiving the selection of an identity provider 120, a login page of the mobile application and/or website of the identity provider 120. When the user is using a mobile application of the relying party 110, the identity provider 120 may include a deep link used to launch the identity provider 120 mobile application. If the user is using a web application of the relying party 110, the identity provider may include a web redirect link to launch a new tab or browser and open the identity provider 120 web application. When the mobile application or web application is launched, the user may log into the identity provider 120 mobile application as the user normally would with the identity provider 120. For example, the user may enter the user's username and password, biometric information, and/or other login credentials. In some embodiments, single factor and/or multi-factor authentication techniques may be used to authenticate the user at the identity provider 120. In some embodiments, a confirmation of the authentication of the user by the identity provider 120 may be communicated to the identity network 105 at step 320. In some embodiments, this may include a confirmation message being communicated to the identity network 105.

At step 325, the identity network 105 may request and/or receive a number of identity attributes from the identity provider 120. The identity attributes may be presented for display to the user on the user interface of the user device 115. In some embodiments, the identity network 105 may cause the identity attributes to be presented to the user for display on the user interface of the user device 115. In other embodiments, the identity provider 120 may directly provide the identity attributes to the user for display on the user interface of the user device 115.

At step 330, the identity provider 120 application may request consent from the user to share the identity attributes with the relying party 110. While the consent request may appear to the user as being submitted by the identity provider 120, in reality the identity network 105 is requesting and receiving the requisite consent for the transaction as the broker for the information exchange.

At step 335, the identity network 105, in response to receiving the user's consent, may provide and/or otherwise share the identity attributes with the relying party 110. For example, the identity network 105 may provide the relying party 110 a token that may be used by the relying party 110 to access the identity attributes, rather than transmitting the identity attributes to the relying party 110. In some embodiments, the identity attributes may be encrypted and/or communicated to the relying party 110 via a secure network connection. The identity network 105 may also redirect the user interface to a website or application page of the relying party 110 such that registration of the user may be completed. The identity network 105 may also record an identity block to a ledger with a unique transaction identifier, a digital hash of the payload (e.g., indicators pointing to a unique digital address of the user, the bank provider, and merchant, etc.), or the like.

FIGS. 4A-4G illustrate screenshots that demonstrate a user's experience when completing an identity attribute sharing process, such as that described in relation to FIG. 3 . As shown in FIG. 4A, the user may navigate to a signup page 400A of a relying party (e.g., an insurance provider) website and/or mobile application. The user may opt to utilize the identity network to register with the relying party, such as by interacting with an icon 410 and/or otherwise interacting with the signup page. Upon opting to use the identity network 105, the user may be presented with a redirect page 400B (shown in FIG. 4B) prior to being redirected to a page 400C, as shown in FIG. 4C. On page 400C, the user may select an identity provider 120, such as a financial institution, with which the user has a pre-existing relationship from a list of possible identity providers 120 that are enrolled in an identity attribute sharing system by interacting with one of icons 420 associated with an identity provider 120.

Once the user has selected an identity provider 120 (e.g., the user has selected the icon 420 associated with the identity provider 120 MyBank), the user may be presented with a redirect page similar to page 400B prior to be redirected to a login page 400D of the selected identity provider 120, as shown in FIG. 4D. Once logged in, the user may be presented with a page 400E showing a number of identity attributes 430 that may be shared with the relying party 110 as shown in FIG. 4E. The user may review the identity attributes and decide whether to consent to the identity attributes 430 being shared with the relying party 110. For example, the user may interact with a consent request 440. Specifically, the user may interact with an icon 441 and/or otherwise interact with the screen to provide consent to share the identity attributes 430 or with an icon 442 to deny consent. Upon submitting a consent decision, the user may be presented with a redirect page similar to page 400B as the user is redirected to a page of the relying party 110. The page of the relying party 110 that the user is redirected to may be based on whether the user accepted or denied the consent to share. For example, if the user consented to share the identity attributes 430, the user may be redirected to a page to complete registration with the relying party 110. If the user denied the consent request 440, the user may be redirected to a page that requires the user to select a different identity provider 120 and/or to register manually. In some embodiments, the user may not be presented with any redirect pages and, instead, be redirected directly to the appropriate page.

FIG. 5 illustrates a method 500 for matching identity attributes in an account creation and/or sign in process. In some instances, method 500 may be used to authenticate a user that is already enrolled with a given relying party 110, with identity attributes from the user and an identity provider 120 being compared to authenticate the user for accessing the website of the relying party 110. Method 500 may be performed by, for example, the identity network 105. Some portions of the method 500 may be performed by SDKs provided by the identity network 105 to the identity providers 120 and the relying parties 110. Method 500 may begin when the identity network 105 receives a login request for a user from a relying party 110. For example, the relying party 110 may have specific information requested to fill out a login application by the user. The user may have previously provided a number of identity attributes to the relying party 110 as part of the registration process. The identity attributes may include any information about the user including, for example, the user's first and last name, address, telephone number, email address, gender, birthdate, peer-to-peer payment account token, driver's license number, social security number, and/or other personal identification information. The identity network 105 may receive the identity attributes at step 505 from the relying party 110 (e.g., from identity attributes entered by the user to the relying party 110).

At step 510, the SDK in the relying party 110 application may provide a list of identity providers 120 to the user via the user interface for the user to select from. The list of identity providers 120 may include some or all identity providers 120 that are enrolled in an identity attribute sharing system, including, for example, enrolled banks and other financial institutions. The user may select an identity provider 120 with which the user has a relationship. For example, the user may select a bank or other financial institution that the user has an account with.

At step 515, the relying party 110 application may launch, in response to receiving the selection of an identity provider 120, a login page of the mobile application and/or website of the identity provider 120. Each identity provider 120 will include a deep link and/or a web redirect link such that when the user is using a mobile application of the relying party 110, a deep link is used to launch the identity provider 120 mobile application. If the user is using a web application of the relying party 110, the web redirect link may launch a new tab or browser and open the web application of the identity provider 120. When the mobile application or web application is launched, the user may log into the identity provider 120 application and be provided a message confirming the authentication of the user, as normal with the user's username and password, biometric information, or other login credentials. In some embodiments, single factor and/or multi-factor authentication techniques may be used to authenticate the user at the identity provider 120. In some embodiments, a confirmation of the authentication of the user by the identity provide may be communicated to the identity network 105 at step 520. In some embodiments, this may include a confirmation message being communicated to the identity network 105.

At step 525, the identity network may request and/or receive a number of identity attributes from the identity provider 120. The identity attributes may be presented for display to the user on the user interface of the user device 115. In some embodiments, the identity network 105 may cause the identity attributes to be presented to the user. In other embodiments, the identity provider 120 may directly provide the identity attributes to the user for display on the user interface. At step 530, the identity provider 120 application may request consent from the user to share the identity attributes with the relying party 110 for matching purposes. While the consent request may appear to the user as being submitted by the identity provider, in reality the identity network is requesting and receiving the requisite consent for the transaction as the broker for the information exchange.

At step 535, the identity network 105, in response to receiving the user's consent, may provide and/or otherwise share the identity attributes with the relying party 110. In some embodiments, the identity attributes may be encrypted and/or communicated to the relying party 110 via a secure network connection. For example, the identity network 105 may provide the relying party 110 a token that may be used by the relying party 110 to access the identity attributes, rather than transmitting the identity attributes to the relying party 110. The relying party 110 and/or identity network 105 may compare the identity attributes provided by the identity provider 120 with those previously submitted by the user (e.g., during an initial registration process) to authenticate the user. The identity network 105 may also redirect the user interface to a website or application page of the relying party 110, such as a page that informs the user of the result of the matching/authentication. The identity network 105 may also record an identity block to a ledger with a unique transaction identifier, a digital hash of the payload (e.g., indicators pointing to a unique digital address of the user, the bank provider, and merchant, etc.).

FIGS. 6A-6H illustrate screenshots that demonstrate a user's experience when completing an identity attribute matching process, such as that described in relation to FIG. 5 . As shown in FIG. 6A, the user may navigate to a login page 600A of a relying party 110 website and/or mobile application. The login page 600A may include an icon 610 for a user to interact with once the user is ready to submit the verification information to the relying party 110. The login page 600A may include a number of data fields 611 for the user to enter different identity attributes. The user may enter identity attributes into each field as shown in FIG. 6B. The user may then attempt to login with the relying party 110 by using the identity network 105. Specifically, the user may submit the identity attributes to the identity network 105, such as by interacting with the icon 610 and/or otherwise interacting with the login page 600B.

Upon submitting the identity attributes 612 to the identity network 105, the user may be presented with a redirect page (shown in FIG. 6C) prior to being redirected to a page where the user may select an identity provider 120, such as a financial institution, with which the user has a pre-existing relationship with. For example, page 600D depicts a list of icons 620 associated with identity providers 120 that are enrolled in an identity attribute sharing system, as shown in FIG. 6D. Once the user has selected an identity provider 120 (such as the identity provider 120 used to register the user with the relying party 110, MyBank), the user may be presented with a redirect page, similar to the redirect page 600C, prior to be redirected to a login page 600E of the selected identity provider 120, as shown in FIG. 6E.

Once the user has logged in with the identity provider 120 through the login page 600E, the user may be presented with a page 600F showing a number of identity attributes 630 that may be shared with the relying party 110 as shown in FIG. 6F. The user may review the identity attributes 630 and decide whether to consent to the identity attributes being shared with the relying party 110 by interacting with the consent request 640. For example, the user may select an icon 641 and/or otherwise interact with the page 600F to provide consent to share the identity attributes 630 or deny consent by interacting with the icon 642.

Where the user provides consent to share the information, the user may be directed to a verification page 600H, as shown in FIG. 6H. On this page, the user may wait as the identity network 105 compares the identity attributes 612 submitted to the relying party 110 during the login process with the identity attributes 630 previously submitted to the relying party 110 during the registration process. If the identity network 105 determines that the identity attributes 612, 630 match, the user may be redirected to a relying party 110 page (not shown) notifying the user that the user is verified. If the identity network 105 determines that the identity attributes 612, 630 do not match, the identity network 105 may direct the user back to the original login page (e.g., page 600B) notifying the user that the user is not verified and highlighting the data fields 611 that did not match. Alternatively or additionally, the relying party 110 compares the identity attributes 612, 630 to determine whether the identity attributes 612, 630 match. In a further alternative, there is no verification page and the user is directly redirected back to the relying party 110 page corresponding to whether the identity attributes 612, 630 match, as discussed above.

FIG. 7 illustrates a block diagram of an example computer system 700 usable for performing image analysis, normalization, and display. The computing device 700 can be or include, for example, a laptop computer, desktop computer, tablet, e-reader, smart phone or mobile device, smart watch, personal data assistant (PDA), or other electronic device.

The computing device 700 can include a processor 740 interfaced with other hardware via a bus 705. A memory 710, which can include any suitable tangible (and non-transitory) computer readable medium, such as RAM, ROM, EEPROM, or the like. The memory 710 may include embody program components (e.g., instructions 715) that configure operation of the computing device 700. In some examples, the computing device 700 can include input/output (“I/O”) interface components 725 (e.g., for interfacing with a display 745, keyboard, or mouse) and additional storage 730.

The computing device 700 can include network components 720. Network components 720 can represent one or more of any components that facilitate a network connection. In some examples, the network components 720 can facilitate a wireless connection and include wireless interfaces such as IEEE 802.11, Bluetooth, or radio interfaces for accessing cellular telephone networks (e.g., a transceiver/antenna for accessing CDMA, GSM, UMTS, or other mobile communications network). In other examples, the network components 720 can be wired and can include interfaces such as Ethernet, USB, or IEEE 1394.

The computing device 600 may include a sensor 655. This may include a camera to capture images, microphone to record noises, a haptic sensor to detect pressure, or a biometric sensor to detect various biometric measurements (e.g., a fingerprint, heart rate, or the like).

Although FIG. 7 depicts a single computing device 700 with a single processor 740, the system can include any number of computing devices 700 and any number of processors 740. For example, multiple computing devices 700 or multiple processors 740 can be distributed over a wired or wireless network (e.g., a Wide Area Network, Local Area Network, or the Internet). The multiple computing devices 700 or multiple processors 740 can perform any of the steps of the present disclosure individually or in coordination with one another.

Each of the instructions, calculations, or operations described herein may be performed using a computer or other processor having hardware, software, and/or firmware. The various method steps may be performed by modules, and the modules may comprise any of a wide variety of digital and/or analog data processing hardware and/or software arranged to perform the method steps described herein. The modules optionally comprising data processing hardware adapted to perform one or more of these steps by having appropriate machine programming code associated therewith, the modules for two or more steps (or portions of two or more steps) being integrated into a single processor board or separated into different processor boards in any of a wide variety of integrated and/or distributed processing architectures. These methods and systems will often employ a tangible media embodying machine-readable code with instructions for performing the method steps described above. Suitable tangible media may comprise a memory (including a volatile memory and/or a non-volatile memory), a storage media (such as a magnetic recording on a floppy disk, a hard disk, a tape, or the like; on an optical memory such as a CD, a CD-R/W, a CD-ROM, a DVD, or the like; or any other digital or analog storage media), or the like. The instructions or operations may be stored in the non-transitory memory or memory device and executed by the processor, which causes the processor to perform the instructions or operations described.

Different arrangements of the components depicted in the drawings or described above, as well as components and steps not shown or described are possible. Similarly, some features and sub-combinations are useful and may be employed without reference to other features and sub-combinations. Embodiments of the invention have been described for illustrative and not restrictive purposes, and alternative embodiments will become apparent to readers of this patent. In certain cases, method steps or operations may be performed or executed in differing order, or operations may be added, deleted, or modified. It can be appreciated that, in certain aspects of the invention, a single component may be replaced by multiple components, and multiple components may be replaced by a single component, to provide an element or structure or to perform a given function or functions. Except where such substitution would not be operative to practice certain embodiments of the invention, such substitution is considered within the scope of the invention.

It is to be understood that the figures and descriptions of embodiments of the invention have been simplified to illustrate elements that are relevant for a clear understanding of the invention. Those of ordinary skill in the art will recognize, however, that these and other elements may be desirable. However, because such elements are well known in the art, and because they do not facilitate a better understanding of the invention, a discussion of such elements is not provided herein. It should be appreciated that the figures are presented for illustrative purposes and not as construction drawings. Omitted details and modifications or alternative embodiments are within the purview of persons of ordinary skill in the art.

The examples presented herein are intended to illustrate potential and specific implementations of the invention. It can be appreciated that the examples are intended primarily for purposes of illustration of the invention for those skilled in the art. There may be variations to these diagrams or the operations described herein without departing from the spirit of the invention. For instance, in certain cases, method steps or operations may be performed or executed in differing order, or operations may be added, deleted, or modified.

Furthermore, whereas particular embodiments of the invention have been described herein for the purpose of illustrating the invention and not for the purpose of limiting the same, it will be appreciated by those of ordinary skill in the art that numerous variations of the details, materials and arrangement of elements, steps, structures, and/or parts may be made within the principle and scope of the invention without departing from the invention as described in the claims.

All patents, patent publications, patent applications, journal articles, books, technical references, and the like discussed in the instant disclosure are incorporated herein by reference in their entirety for all purposes. 

What is claimed is:
 1. A method for sharing digital identity data, the method comprising, using an identity network: receiving a sign-up request for a user from a relying party; providing, for display to a user interface of a user device, a list of identity providers; in response to receiving a selection of the identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider; receiving, from the selected identity provider, a plurality of identity attributes associated with the user; providing, for display to the user interface, the plurality of identity attributes associated with the user; receiving consent from the user to share the plurality of identity attributes associated with the user with the relying party; and redirecting the user interface to a page associated with the relying party.
 2. The method of claim 1, further comprising: providing the relying party access to the plurality of identity attributes.
 3. The method of claim 2, wherein: providing the relying party access to the plurality of identity attributes comprises encrypting the plurality of identity attributes and transmitting the plurality of identity attributes to the relying party.
 4. The method of claim 2, wherein: providing the relying party access to the plurality of identity attributes comprises providing the relying party with a token that is useable by the relying party to access the plurality of identity attributes.
 5. The method of claim 1, wherein: the plurality of identity attributes comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user.
 6. The method of claim 1, further comprising: receiving a confirmation of authentication of the user; and wherein providing, for display to the user interface, the plurality of identity attributes includes providing the plurality of identity attributes in response to receiving the confirmation of authentication.
 7. The method of claim 1, further comprising: receiving from the relying party a first plurality of identity attributes associated with the user; and comparing the first plurality of identity attributes with the plurality of identity attributes provided by the selected identity provider to determine whether the identity attributes match.
 8. A method of authenticating a user with shared digital identity data, comprising, using an identity network: receiving from a relying party a first plurality of identity attributes associated with a user; providing, for display to a user interface of a user device, a list of identity providers; in response to receiving a selection of an identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider; receiving from the selected identity provider a second plurality of identity attributes associated with the user; comparing the first and second plurality of identity attributes to determine whether the identity attributes match; and redirecting the user interface to a page associated with the relying party based on the comparison between the first and second plurality of identity attributes.
 9. The method of claim 8, wherein: the first and second plurality of identity attributes are similar; and redirecting the user interface comprises redirecting the user interface to a page notifying the user that the user is verified.
 10. The method of claim 8, wherein: the first and second plurality of identity attributes do not match; and redirecting the user interface comprises redirecting the user interface to a login page of the relying party.
 11. The method of claim 8, further comprising: providing the relying party access to the second plurality of identity attributes.
 12. The method of claim 11, wherein: providing the relying party access to the second plurality of identity attributes comprises encrypting the second plurality of identity attributes and transmitting the encrypted second plurality of identity attributes to the relying party.
 13. The method of claim 11, wherein: providing the relying party access to the second plurality of identity attributes comprises providing the relying party with a token that is useable by the relying party to access the encrypted second plurality of identity attributes.
 14. The method of claim 8, wherein: the first and second plurality of identity attributes comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user.
 15. The method of claim 8, further comprising receiving consent from the user to share the second plurality of identity attributes associated with the user with the relying party.
 16. The method of claim 8, further comprising: receiving a confirmation of authentication of the user; and wherein providing, for display to the user interface, the plurality of identity attributes includes providing the plurality of identity attributes in response to receiving the confirmation of authentication.
 17. A non-transitory computing-device readable storage medium on which computing-device readable instructions of a program are stored, the instructions, when executed by one or more computing devices, causing the one or more computing devices to perform a method, comprising: receiving a sign-up request for a user from a relying party; providing, for display to a user interface of a user device, a list of identity providers; in response to receiving a selection of the identity provider from the list of identity providers, causing the user interface to display a login page associated with the selected identity provider; receiving, from the selected identity provider, a plurality of identity attributes associated with the user; providing, for display to the user interface, the plurality of identity attributes associated with the user; receiving consent from the user to share the plurality of identity attributes associated with the user with the relying party; and redirecting the user interface to a page associated with the relying party.
 18. The non-transitory computing-device readable storage medium of claim 17, wherein: the plurality of identity attributes comprise at least one identity attribute selected from a group comprising of a name of the user, an address of the user, a telephone number of the user, an email address of the user, a gender of the user, a birthdate of the user, a peer-to-peer payment account token of the user, a driver's license number of the user, and a social security number of the user.
 19. The non-transitory computing-device readable storage medium of claim 17, further comprising receiving a confirmation of authentication of the user; and wherein providing, for display to the user interface, the plurality of identity attributes includes providing the plurality of identity attributes in response to receiving the confirmation of authentication.
 20. The non-transitory computing-device readable storage medium of claim 17, wherein the plurality of identity attributes is a first plurality of identity attributes; and the method may further comprise comparing the first plurality of identity attributes with a second plurality of identity attributes provided by the selected identity provider to determine whether the identity attributes match. 